corgea-cli 1.8.4__tar.gz → 1.8.7__tar.gz

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/Cargo.lock

@@ -293,6 +293,35 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6"
 
+[[package]]
+name = "cookie"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
+[[package]]
+name = "cookie_store"
+version = "0.21.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2eac901828f88a5241ee0600950ab981148a18f2f756900ffba1b125ca6a3ef9"
+dependencies = [
+ "cookie",
+ "document-features",
+ "idna",
+ "log",
+ "publicsuffix",
+ "serde",
+ "serde_derive",
+ "serde_json",
+ "time",
+ "url",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.9.4"
@@ -311,13 +340,14 @@ checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
 
 [[package]]
 name = "corgea"
-version = "1.8.4"
+version = "1.8.7"
 dependencies = [
  "chrono",
  "clap",
  "dirs",
  "git2",
  "globset",
+ "http",
  "http-body-util",
  "hyper",
  "hyper-util",
@@ -478,6 +508,15 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "document-features"
+version = "0.2.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d4b8a88685455ed29a21542a33abd9cb6510b6b129abadabdcef0f4c55bc8f61"
+dependencies = [
+ "litrs",
+]
+
 [[package]]
 name = "either"
 version = "1.15.0"
@@ -1131,6 +1170,12 @@ version = "0.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "241eaef5fd12c88705a01fc1066c48c4b36e0dd4377dcdc7ec3942cea7a69956"
 
+[[package]]
+name = "litrs"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "11d3d7f243d5c5a8b9bb5d6dd2b1602c0cb0b9db1621bafc7ed66e35ff9fe092"
+
 [[package]]
 name = "lock_api"
 version = "0.4.14"
@@ -1421,6 +1466,22 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "psl-types"
+version = "2.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "33cb294fe86a74cbcf50d4445b37da762029549ebeea341421c7c70370f86cac"
+
+[[package]]
+name = "publicsuffix"
+version = "2.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f42ea446cab60335f76979ec15e12619a2165b5ae2c12166bef27d283a9fadf"
+dependencies = [
+ "idna",
+ "psl-types",
+]
+
 [[package]]
 name = "quick-xml"
 version = "0.36.2"
@@ -1502,6 +1563,8 @@ checksum = "9d0946410b9f7b082a427e4ef5c8ff541a88b357bc6c637c40db3a68ac70a36f"
 dependencies = [
  "base64",
  "bytes",
+ "cookie",
+ "cookie_store",
  "futures-channel",
  "futures-core",
  "futures-util",
@@ -1890,10 +1953,12 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
 dependencies = [
  "deranged",
+ "itoa",
  "num-conv",
  "powerfmt",
  "serde_core",
  "time-core",
+ "time-macros",
 ]
 
 [[package]]
@@ -1902,6 +1967,16 @@ version = "0.1.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
 
+[[package]]
+name = "time-macros"
+version = "0.2.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
+dependencies = [
+ "num-conv",
+ "time-core",
+]
+
 [[package]]
 name = "tinystr"
 version = "0.8.1"

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "corgea"
-version = "1.8.4"
+version = "1.8.7"
 edition = "2021"
 readme = "README.md"
 
@@ -11,6 +11,7 @@ clap = { version = "4.4.13", features = ["derive"] }
 dirs = "5.0.1"
 reqwest = { version = "0.12.23", default-features = false, features = [
     "blocking",
+    "cookies",
     "json",
     "multipart",
     "native-tls",
@@ -34,6 +35,7 @@ chrono = "0.4"
 tokio = { version = "1.0", features = ["full"] }
 hyper = { version = "1.0", features = ["full"] }
 hyper-util = { version = "0.1", features = ["full"] }
+http = "1"
 http-body-util = "0.1"
 url = "2.5"
 open = "5.0"

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: corgea-cli
-Version: 1.8.4
+Version: 1.8.7
 Classifier: Development Status :: 5 - Production/Stable
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers

corgea_cli-1.8.7/skills/corgea/SKILL.md

@@ -0,0 +1,168 @@
+---
+name: corgea
+description: Scans code for security vulnerabilities using Corgea's AI-powered BLAST scanner and third-party tools, manages findings, and displays AI-generated fixes. Use when the user needs to scan for security issues, upload scan reports, list or inspect vulnerabilities, view fixes, or integrate security scanning into CI/CD.
+allowed-tools: Shell, Read, Grep, Glob, StrReplace
+---
+
+# Corgea CLI
+
+Find and fix security vulnerabilities using AI-powered scanning (BLAST), third-party scanners, and AI-generated fixes.
+
+## Commands
+
+### Scan — `corgea scan [scanner]`
+
+Default scanner is `blast` (AI-powered, server-side). Also supports `semgrep` and `snyk` (must be installed separately), blast should be used by default unless the user asked not to.
+
+```bash
+corgea scan                                    # BLAST scan, full project
+corgea scan semgrep                            # Semgrep scan, upload results
+corgea scan snyk                               # Snyk Code scan, upload results
+```
+
+#### BLAST Options
+
+```bash
+corgea scan --only-uncommitted                 # Staged/modified/untracked files only
+corgea scan --target src/,pyproject.toml       # Specific paths (comma-separated)
+corgea scan --target "src/**/*.py"             # Glob patterns
+corgea scan --target git:diff=origin/main...HEAD  # Git diff range
+corgea scan --target git:staged,git:modified   # Git selectors
+corgea scan --target -                         # File list from stdin
+corgea scan --scan-type secrets                # Single scan type
+corgea scan --scan-type blast,policy,secrets,pii  # Multiple scan types
+corgea scan --scan-type policy --policy 1      # Specific policy ID
+corgea scan --fail-on CR                       # Exit 1 on critical issues (CR, HI, ME, LO)
+corgea scan --fail                             # Exit 1 based on project blocking rules
+corgea scan --out-format json --out-file r.json   # Export (json, html, sarif, markdown)
+corgea scan --project-name my-service          # Override project name
+```
+
+Scan types: `blast` (base AI), `policy` (PolicyIQ), `malicious`, `secrets`, `pii`.
+
+`--only-uncommitted` and `--target` are mutually exclusive. `--fail-on` and `--fail` are mutually exclusive.
+
+### Upload — `corgea upload [report]`
+
+Upload an existing scan report to Corgea.
+
+```bash
+corgea upload path/to/report.json              # JSON, SARIF, Coverity XML
+corgea upload path/to/report.fpr               # Fortify FPR
+corgea upload report.sarif --project-name svc  # Custom project name
+cat report.json | corgea upload                # From stdin
+```
+
+Supported: Semgrep JSON, SARIF, Checkmarx (CLI/Web/XML), Coverity, Fortify FPR.
+
+### Wait — `corgea wait [scan_id]`
+
+```bash
+corgea wait                                    # Wait for latest scan
+corgea wait --scan-id SCAN_ID                  # Wait for specific scan
+```
+
+### List — `corgea list` (alias: `corgea ls`)
+
+```bash
+corgea ls                                      # List scans
+corgea ls --issues --scan-id SCAN_ID           # Issues for a scan
+corgea ls --sca-issues                         # SCA (dependency) issues
+corgea ls --issues --page 2 --page-size 10     # Pagination
+corgea ls --issues --scan-id SCAN_ID --json    # JSON output
+```
+
+| Flag | Short | Description |
+|------|-------|-------------|
+| `--issues` | `-i` | List code/SAST issues |
+| `--sca-issues` | `-c` | List SCA issues |
+| `--scan-id` | `-s` | Filter to a scan |
+| `--page` | `-p` | Page number |
+| `--page-size` | | Items per page |
+| `--json` | | JSON output |
+
+### Inspect — `corgea inspect <id>`
+
+```bash
+corgea inspect SCAN_ID                         # Scan overview with issue counts
+corgea inspect --issue ISSUE_ID                # Full issue details + fix
+corgea inspect --issue --summary ISSUE_ID      # Summary only
+corgea inspect --issue --fix ISSUE_ID          # Fix explanation only
+corgea inspect --issue --diff ISSUE_ID         # Diff only
+corgea inspect --issue --json ISSUE_ID         # JSON output
+```
+
+| Flag | Short | Description |
+|------|-------|-------------|
+| `--issue` | `-i` | Treat ID as issue (default: scan) |
+| `--summary` | `-s` | Summary only |
+| `--fix` | `-f` | Fix explanation only |
+| `--diff` | `-d` | Diff only |
+| `--json` | | JSON output |
+
+### Setup Hooks — `corgea setup-hooks`
+
+```bash
+corgea setup-hooks                             # Interactive configuration
+corgea setup-hooks --default-config            # Default: secrets + PII, fail on LO
+```
+
+Installs a pre-commit hook running `corgea scan blast --only-uncommitted`. Bypass with `git commit --no-verify`.
+
+## Common Workflows
+
+### Scan full project
+
+```bash
+corgea scan
+```
+
+### Scan uncommitted changes
+
+```bash
+corgea scan --only-uncommitted --fail-on HI
+```
+
+### Scan a PR diff
+
+```bash
+corgea scan --target git:diff=origin/main...HEAD --fail-on CR
+```
+
+### Review and apply a fix
+
+```bash
+corgea ls --issues --scan-id SCAN_ID
+corgea inspect --issue --diff ISSUE_ID
+```
+
+### CI/CD pipeline
+
+```bash
+corgea scan --fail-on CR --out-format sarif --out-file results.sarif
+```
+
+### Upload third-party reports
+
+```bash
+corgea upload report.json --project-name my-app
+```
+
+### Export results
+
+```bash
+corgea scan --out-format html --out-file report.html
+corgea scan --out-format sarif --out-file report.sarif
+```
+
+## Severity Levels
+
+`CR` (Critical), `HI` (High), `ME` (Medium), `LO` (Low)
+
+
+
+## Troubleshooting
+
+- **"token invalid" or authentication errors**: The user needs to authenticate with Corgea. Ask them to run `corgea login` (browser OAuth) or `corgea login <API_TOKEN>` to set up credentials. For single-tenant instances, use `corgea login --url https://<instance>.corgea.app <TOKEN>`. Tokens can also be set via the `CORGEA_API_TOKEN` environment variable.
+- **Third-party scanner not found**: `semgrep` or `snyk` must be installed and on `PATH`.
+- **Upload failures**: The CLI retries 3 times per file. Check file paths and permissions.

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/src/inspect.rs

@@ -19,7 +19,7 @@ pub fn run(
     println!();
     if *issues {
         let show_everything = !*summary && !*fix_explanation && !*fix_diff;
-        let issue_details = match utils::api::get_issue(&config.get_url(), &config.get_token(), id) {
+        let issue_details = match utils::api::get_issue(&config.get_url(), id) {
             Ok(issue) => issue,
             Err(e) => {
                 eprintln!("Failed to fetch issue details for issue ID {} with error:\n{}", id, e);
@@ -69,7 +69,7 @@ pub fn run(
             }
         }
     } else {
-        let scan_details = match utils::api::get_scan(&config.get_url(), &config.get_token(), id) {
+        let scan_details = match utils::api::get_scan(&config.get_url(), id) {
             Ok(details) => details,
             Err(e) => {
                 eprintln!("Failed to fetch scan details for scan ID {}: {}", id, e);
@@ -92,7 +92,7 @@ pub fn run(
         print_section("Engine", &scan_details.engine);
         let created_at = chrono::DateTime::<chrono::Utc>::from(SystemTime::now()).format("%Y-%m-%d %H:%M:%S").to_string();
         print_section("Created At", &created_at);
-        match scanners::blast::fetch_and_group_scan_issues(&config.get_url(), &config.get_token(), &scan_details.project) {
+        match scanners::blast::fetch_and_group_scan_issues(&config.get_url(), &scan_details.project) {
             Ok(counts) => {
                 let total_issues = counts.values().sum::<usize>();
                 let order = vec!["CR", "HI", "ME", "LO"];

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/src/list.rs

@@ -8,7 +8,7 @@ pub fn run(config: &Config, issues: &bool, sca_issues: &bool, json: &bool, page:
     let project_name = utils::generic::get_current_working_directory().unwrap_or("unknown".to_string());
     println!("");
     if *sca_issues {
-        let sca_issues_response = match utils::api::get_sca_issues(&config.get_url(), &config.get_token(), Some((*page).unwrap_or(1)), *page_size, scan_id.clone()) {
+        let sca_issues_response = match utils::api::get_sca_issues(&config.get_url(), Some((*page).unwrap_or(1)), *page_size, scan_id.clone()) {
             Ok(response) => response,
             Err(e) => {
                 debug(&format!("Error Sending Request: {}", e.to_string()));
@@ -87,7 +87,7 @@ pub fn run(config: &Config, issues: &bool, sca_issues: &bool, json: &bool, page:
 
         utils::terminal::print_table(table, Some(sca_issues_response.page), Some(sca_issues_response.total_pages));
     } else if *issues {
-        let issues_response = match utils::api::get_scan_issues(&config.get_url(), &config.get_token(), &project_name, Some((*page).unwrap_or(1)), *page_size, scan_id.clone()) {
+        let issues_response = match utils::api::get_scan_issues(&config.get_url(), &project_name, Some((*page).unwrap_or(1)), *page_size, scan_id.clone()) {
             Ok(response) => response,
             Err(e) => {
                 debug(&format!("Error Sending Request: {}", e.to_string()));
@@ -115,7 +115,7 @@ pub fn run(config: &Config, issues: &bool, sca_issues: &bool, json: &bool, page:
         if scan_id.is_some() {
             let mut page: u32 = 1;
             loop {
-                match utils::api::check_blocking_rules(&config.get_url(), &config.get_token(), scan_id.as_ref().unwrap(), Some(page)) {
+                match utils::api::check_blocking_rules(&config.get_url(), scan_id.as_ref().unwrap(), Some(page)) {
                     Ok(rules) => {
                         if rules.block {
                             render_blocking_rules = true;
@@ -224,7 +224,7 @@ pub fn run(config: &Config, issues: &bool, sca_issues: &bool, json: &bool, page:
 
         utils::terminal::print_table(table, issues_response.page, issues_response.total_pages);
     } else {
-        let (scans, page, total_pages) = match utils::api::query_scan_list(&config.get_url(), &config.get_token(), Some(&project_name), *page, *page_size) {
+        let (scans, page, total_pages) = match utils::api::query_scan_list(&config.get_url(), Some(&project_name), *page, *page_size) {
             Ok(scans) => {
                 let page = scans.page;
                 let total_pages = scans.total_pages;

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/src/main.rs

@@ -186,7 +186,8 @@ fn main() {
             eprintln!("No token set.\nPlease run 'corgea login' to authenticate.\nFor more info checkout our docs at Check out our docs at https://docs.corgea.app/install_cli#login-with-the-cli");
             std::process::exit(1);
         }
-        match utils::api::verify_token(config.get_token().as_str(), config.get_url().as_str()) {
+        utils::api::set_auth_token(&config.get_token());
+        match utils::api::verify_token(config.get_url().as_str()) {
             Ok(true) => {
                 return;
             }
@@ -207,7 +208,8 @@ fn main() {
             match effective_token {
                 Some(token_value) => {
                     let token_source = if token.is_some() { "parameter" } else { "CORGEA_TOKEN environment variable" };
-                    match utils::api::verify_token(&token_value, url.as_deref().unwrap_or(corgea_config.get_url().as_str())) {
+                    utils::api::set_auth_token(&token_value);
+                    match utils::api::verify_token(url.as_deref().unwrap_or(corgea_config.get_url().as_str())) {
                         Ok(true) => {
                             corgea_config.set_token(token_value.clone()).expect("Failed to set token");
                             if let Some(url) = url {

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/src/scan.rs

@@ -131,8 +131,8 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
     let github_env_vars = get_github_env_vars();
 
     let run_id = Uuid::new_v4().to_string();
-    let token = config.get_token();
     let base_url = config.get_url();
+    let api_base = "/api/v1";
     let project;
 
     if in_ci {
@@ -143,20 +143,20 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
     } else {
         project = utils::generic::determine_project_name(project_name.as_deref());
     }
-    let repo_data = std::env::var("REPO_DATA").unwrap_or_else(|_| "".to_string()); //encoded data to forward.
+    let repo_data = std::env::var("REPO_DATA").unwrap_or_else(|_| "".to_string());
 
     let scan_upload_url = if repo_data.is_empty() {
         format!(
-            "{}/api/cli/scan-upload?token={}&engine={}&run_id={}&project={}&ci={}&ci_platform={}", base_url, token, scanner, run_id, project, in_ci, ci_platform
+            "{}{}/scan-upload?engine={}&run_id={}&project={}&ci={}&ci_platform={}", base_url, api_base, scanner, run_id, project, in_ci, ci_platform
         )
     } else {
         format!(
-            "{}/api/cli/scan-upload?token={}&engine={}&run_id={}&project={}&ci={}&ci_platform={}&repo_data={}", base_url, token, scanner, run_id, project, in_ci, ci_platform, repo_data
+            "{}{}/scan-upload?engine={}&run_id={}&project={}&ci={}&ci_platform={}&repo_data={}", base_url, api_base, scanner, run_id, project, in_ci, ci_platform, repo_data
         )
     };
 
     let git_config_upload_url = format!(
-        "{}/api/cli/git-config-upload?token={}&run_id={}", base_url, token, run_id
+        "{}{}/git-config-upload?run_id={}", base_url, api_base, run_id
     );
     let client = utils::api::http_client();
 
@@ -177,7 +177,7 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
         }
 
         let src_upload_url = format!(
-            "{}/api/cli/code-upload?token={}&run_id={}&path={}", base_url, token, run_id, path
+            "{}{}/code-upload?run_id={}&path={}", base_url, api_base, run_id, path
         );
         debug(&format!("Uploading file: {}", path));
         let fp = Path::new(&path);
@@ -198,7 +198,10 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
             match res {
                 Ok(response) => {
                     if !response.status().is_success() {
-                        eprintln!("Failed to upload file {} {}... retrying", response.status(), path);
+                        let status = response.status();
+                        let body = response.text().unwrap_or_else(|_| "Unable to read response body".to_string());
+                        debug(&format!("Code upload failed with status: {}. Response body: {}", status, body));
+                        eprintln!("Failed to upload file {} {}... retrying", status, path);
                         std::thread::sleep(std::time::Duration::from_secs(1));
                         attempts += 1;
                     } else {
@@ -231,8 +234,23 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
     let input_bytes = input.as_bytes();
     let input_size = input_bytes.len();
     let max_upload_size = 50 * 1024 * 1024; // 50mb
-    let chunk_size = 1024 * 1024; // 1mb
-    let res = if input_size > max_upload_size {
+    let chunk_size = match std::env::var("DEBUG_CORGEA_OVERRIDE_REPORT_CHUNK_SIZE") {
+        Ok(val) => {
+            match val.parse::<usize>() {
+                Ok(mb) if mb > 0 => {
+                    debug(&format!("Overriding report chunk size to {} MB", mb));
+                    mb * 1024 * 1024
+                }
+                _ => {
+                    eprintln!("Invalid DEBUG_CORGEA_OVERRIDE_REPORT_CHUNK_SIZE value '{}', using default 1 MB", val);
+                    1024 * 1024
+                }
+            }
+        }
+        Err(_) => 1024 * 1024, // default 1mb
+    };
+    let is_chunked = input_size > max_upload_size;
+    let res = if is_chunked {
         let total_chunks = (input_size + chunk_size - 1) / chunk_size;
         debug(&format!("Uploading scan in {} chunks", total_chunks));
         let mut offset = 0usize;
@@ -246,8 +264,38 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
                 .header("Upload-Length", input_size.to_string())
                 .body(chunk.to_vec())
                 .send();
+
             let should_break = match &response {
-                Ok(res) => !res.status().is_success(),
+                Ok(res) => {
+                    if !res.status().is_success() {
+                        true
+                    } else {
+                        if let Some(server_offset) = res.headers().get("Upload-Offset") {
+                            let expected_offset = offset + chunk.len();
+                            if let Ok(server_offset_str) = server_offset.to_str() {
+                                if let Ok(server_offset_val) = server_offset_str.parse::<usize>() {
+                                    if server_offset_val != expected_offset {
+                                        eprintln!(
+                                            "Upload offset mismatch on chunk {}/{}: server has {} bytes but expected {}. \
+                                            This may indicate that chunks are being routed to different server instances. \
+                                            Please contact support.",
+                                            index + 1, total_chunks, server_offset_val, expected_offset
+                                        );
+                                        true
+                                    } else {
+                                        false
+                                    }
+                                } else {
+                                    false
+                                }
+                            } else {
+                                false
+                            }
+                        } else {
+                            false
+                        }
+                    }
+                },
                 Err(_) => true,
             };
             last_response = Some(response);
@@ -269,6 +317,8 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
     let mut sast_scan_id: Option<String> = None;
     let mut project_id: Option<String> = None;
 
+    let mut upload_failed = false;
+
     match res {
         Ok(response) => {
             if response.status().is_success() {
@@ -305,13 +355,24 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
                         }
                     }
                 }
-                println!("Successfully uploaded scan.");
+
+                if is_chunked && sast_scan_id.is_none() {
+                    eprintln!("Failed to upload scan: server did not return a scan ID after all chunks were sent. The scan was not created on the platform.");
+                    upload_failed = true;
+                } else {
+                    println!("Successfully uploaded scan.");
+                }
             } else {
-                eprintln!("Failed to upload scan: {}", response.status());
+                upload_failed = true;
+                let status = response.status();
+                let body = response.text().unwrap_or_else(|_| "Unable to read response body".to_string());
+                debug(&format!("Scan upload failed with status: {}. Response body: {}", status, body));
+                eprintln!("Failed to upload scan: {}", status);
             }
         }
         Err(e) => {
             eprintln!("Failed to send request: {}", e);
+            upload_failed = true;
         }
     }
 
@@ -343,7 +404,7 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
 
     if in_ci {
         let ci_data_upload_url = format!(
-            "{}/api/cli/ci-data-upload?token={}&run_id={}&platform={}", base_url, token, run_id, ci_platform
+            "{}{}/ci-data-upload?run_id={}&platform={}", base_url, api_base, run_id, ci_platform
         );
 
         let mut github_env_vars_json = serde_json::Map::new();
@@ -376,6 +437,10 @@ pub fn upload_scan(config: &Config, paths: Vec<String>, scanner: String, input:
         }
     }
 
+    if upload_failed {
+        std::process::exit(1);
+    }
+
     println!("Successfully scanned using {} and uploaded to Corgea.", scanner);
 
     if upload_error_count > 0 {

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/src/scanners/blast.rs

@@ -180,7 +180,7 @@ pub fn run(
     let _ = packaging_thread.join();
     print!("\r{}Project packaged successfully.\n", utils::terminal::set_text_color("", utils::terminal::TerminalColor::Green));
     println!("\n\nSubmitting scan to Corgea:");
-    let upload_result = match utils::api::upload_zip(&zip_path, &config.get_token(), &config.get_url(), &project_name, repo_info, scan_type, policy) {
+    let upload_result = match utils::api::upload_zip(&zip_path, &config.get_url(), &project_name, repo_info, scan_type, policy) {
         Ok(result) => result,
         Err(e) => {
             eprintln!("\n\nOh no! We encountered an issue while uploading the zip file '{}' to the server.\nPlease ensure that:
@@ -225,7 +225,7 @@ pub fn run(
         utils::terminal::show_loading_message("Collecting scan results... ([T]s)", stop_signal_clone);
     });
 
-    let classifications = match report_scan_status(&config.get_url(), &config.get_token(), &project_name) {
+    let classifications = match report_scan_status(&config.get_url(), &project_name) {
         Ok(issues_classes) => {
             *stop_signal.lock().unwrap() = true;
             let _ = results_thread.join();
@@ -258,7 +258,7 @@ pub fn run(
         }
     };
     if *fail {
-        let blocking_rules = match utils::api::check_blocking_rules(&config.get_url(), &config.get_token(), &scan_id, None) {
+        let blocking_rules = match utils::api::check_blocking_rules(&config.get_url(), &scan_id, None) {
             Ok(rules) => rules,
             Err(e) => {
                 eprintln!("Failed to check blocking rules: {}", e);
@@ -286,14 +286,14 @@ pub fn run(
             });
 
             if out_format == "json" {
-                let issues = match utils::api::get_all_issues(&config.get_url(), &config.get_token(), &project_name, Some(scan_id.clone())) {
+                let issues = match utils::api::get_all_issues(&config.get_url(), &project_name, Some(scan_id.clone())) {
                     Ok(issues) => issues,
                     Err(e) => {
                         eprintln!("\n\nFailed to fetch issues: {}\n\n", e);
                         std::process::exit(1);
                     }
                 };
-                let sca_issues = match utils::api::get_all_sca_issues(&config.get_url(), &config.get_token(), &project_name, Some(scan_id.clone())) {
+                let sca_issues = match utils::api::get_all_sca_issues(&config.get_url(), &project_name, Some(scan_id.clone())) {
                     Ok(issues) => issues,
                     Err(e) => {
                         eprintln!("\n\nFailed to fetch SCA issues: {}\n\n", e);
@@ -311,7 +311,7 @@ pub fn run(
                 println!("\n\nScan results written to: {}\n\n", out_file.clone());
             }
             else if out_format == "html" {
-                let report = match utils::api::get_scan_report(&config.get_url(), &config.get_token(), &scan_id, None) {
+                let report = match utils::api::get_scan_report(&config.get_url(), &scan_id, None) {
                     Ok(html) => html,
                     Err(e) => {
                         eprintln!("\n\nFailed to fetch scan report: {}\n\n", e);
@@ -325,7 +325,7 @@ pub fn run(
                 println!("\n\nScan report written to: {}\n\n", out_file.clone());
             }
             else if out_format == "sarif" {
-                let report = match utils::api::get_scan_report(&config.get_url(), &config.get_token(), &scan_id, Some("sarif")) {
+                let report = match utils::api::get_scan_report(&config.get_url(), &scan_id, Some("sarif")) {
                     Ok(sarif) => sarif,
                     Err(e) => {
                         eprintln!("\n\nFailed to fetch SARIF report: {}\n\n", e);
@@ -339,7 +339,7 @@ pub fn run(
                 println!("\n\nScan report written to: {}\n\n", out_file.clone());
             }
             else if out_format == "markdown" {
-                let report = match utils::api::get_scan_report(&config.get_url(), &config.get_token(), &scan_id, Some("markdown")) {
+                let report = match utils::api::get_scan_report(&config.get_url(), &scan_id, Some("markdown")) {
                     Ok(markdown) => markdown,
                     Err(e) => {
                         eprintln!("\n\nFailed to fetch Markdown report: {}\n\n", e);
@@ -402,7 +402,7 @@ pub fn wait_for_scan(config: &Config, scan_id: &str) {
     
         loop {
             std::thread::sleep(std::time::Duration::from_secs(1));
-            match check_scan_status(&scan_id, &config.get_url(), &config.get_token()) {
+            match check_scan_status(&scan_id, &config.get_url()) {
                 Ok(true) => {
                     *stop_signal.lock().unwrap() = true;
                     break;
@@ -444,16 +444,16 @@ pub fn wait_for_scan(config: &Config, scan_id: &str) {
 }
 
 
-pub fn check_scan_status(scan_id: &str, url: &str, token: &str) -> Result<bool, Box<dyn Error>> {
-    match utils::api::get_scan(url, token, scan_id) {
+pub fn check_scan_status(scan_id: &str, url: &str) -> Result<bool, Box<dyn Error>> {
+    match utils::api::get_scan(url, scan_id) {
         Ok(scan) => Ok(scan.status == "complete"),
         Err(e) => Err(e)
     }
 }
 
 
-pub fn fetch_and_group_scan_issues(url: &str, token: &str, project: &str) -> Result<HashMap<String, usize>, Box<dyn std::error::Error>> {
-    let issues = match utils::api::get_all_issues(url, token, project, None) {
+pub fn fetch_and_group_scan_issues(url: &str, project: &str) -> Result<HashMap<String, usize>, Box<dyn std::error::Error>> {
+    let issues = match utils::api::get_all_issues(url, project, None) {
         Ok(issues) => issues,
         Err(err) => {
             return Err(format!("Failed to fetch scan issues: {}", err).into());
@@ -468,8 +468,8 @@ pub fn fetch_and_group_scan_issues(url: &str, token: &str, project: &str) -> Res
     Ok(classification_counts)
 }
 
-pub fn report_scan_status(url: &str, token: &str, project: &str) ->  Result<HashMap<String, usize>, Box<dyn std::error::Error>>{
-    let classification_counts = match fetch_and_group_scan_issues(url, token, project) {
+pub fn report_scan_status(url: &str, project: &str) ->  Result<HashMap<String, usize>, Box<dyn std::error::Error>>{
+    let classification_counts = match fetch_and_group_scan_issues(url, project) {
         Ok(counts) => counts,
         Err(e) => {
             return Err(e);

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/src/utils/api.rs

@@ -19,20 +19,129 @@ fn get_source() -> String {
     std::env::var("CORGEA_SOURCE").unwrap_or_else(|_| "cli".to_string())
 }
 
-pub fn http_client() -> reqwest::blocking::Client {
-    let mut builder =
-        reqwest::blocking::Client::builder().timeout(std::time::Duration::from_secs(5 * 30));
+fn is_jwt(token: &str) -> bool {
+    let parts: Vec<&str> = token.splitn(4, '.').collect();
+    parts.len() == 3 && parts.iter().all(|p| !p.is_empty())
+}
+
+fn auth_headers(token: &str) -> HeaderMap {
+    let mut headers = HeaderMap::new();
+    if is_jwt(token) {
+        headers.insert(
+            "Authorization",
+            format!("Bearer {}", token).parse().unwrap(),
+        );
+    } else {
+        headers.insert("CORGEA-TOKEN", token.parse().unwrap());
+    }
+    headers.insert("CORGEA-SOURCE", get_source().parse().unwrap());
+    headers
+}
+
+static AUTH_TOKEN: std::sync::LazyLock<std::sync::RwLock<String>> =
+    std::sync::LazyLock::new(|| std::sync::RwLock::new(String::new()));
 
-    if let Ok(https_proxy) = std::env::var("https_proxy") {
-        debug(&format!("https_proxy detected: {}", https_proxy));
+pub fn set_auth_token(token: &str) {
+    *AUTH_TOKEN.write().unwrap() = token.to_string();
+}
+
+static COOKIE_JAR: std::sync::LazyLock<std::sync::Arc<reqwest::cookie::Jar>> =
+    std::sync::LazyLock::new(|| std::sync::Arc::new(reqwest::cookie::Jar::default()));
+
+static SHARED_CLIENT: std::sync::LazyLock<reqwest::blocking::Client> =
+    std::sync::LazyLock::new(|| {
+        let mut builder = reqwest::blocking::Client::builder()
+            .timeout(std::time::Duration::from_secs(5 * 30))
+            .cookie_provider(COOKIE_JAR.clone());
+
+        if let Ok(https_proxy) = std::env::var("https_proxy") {
+            debug(&format!("https_proxy detected: {}", https_proxy));
 
-        if std::env::var("CORGEA_ACCEPT_CERT").is_ok() {
-            debug(&format!("Skipping CA cert validation"));
-            builder = builder.danger_accept_invalid_certs(true);
+            if std::env::var("CORGEA_ACCEPT_CERT").is_ok() {
+                debug(&format!("Skipping CA cert validation"));
+                builder = builder.danger_accept_invalid_certs(true);
+            }
         }
+
+        builder.build().expect("Failed to build http client")
+    });
+
+pub struct HttpClient {
+    inner: reqwest::blocking::Client,
+}
+
+pub struct DebugRequestBuilder {
+    client: reqwest::blocking::Client,
+    inner: reqwest::blocking::RequestBuilder,
+}
+
+impl HttpClient {
+    pub fn get<U: reqwest::IntoUrl>(&self, url: U) -> DebugRequestBuilder {
+        DebugRequestBuilder { client: self.inner.clone(), inner: self.inner.get(url) }
     }
 
-    builder.build().expect("Failed to build http client")
+    pub fn post<U: reqwest::IntoUrl>(&self, url: U) -> DebugRequestBuilder {
+        DebugRequestBuilder { client: self.inner.clone(), inner: self.inner.post(url) }
+    }
+
+    pub fn patch<U: reqwest::IntoUrl>(&self, url: U) -> DebugRequestBuilder {
+        DebugRequestBuilder { client: self.inner.clone(), inner: self.inner.patch(url) }
+    }
+}
+
+impl DebugRequestBuilder {
+    pub fn header<K, V>(self, key: K, value: V) -> Self
+    where
+        reqwest::header::HeaderName: TryFrom<K>,
+        <reqwest::header::HeaderName as TryFrom<K>>::Error: Into<http::Error>,
+        reqwest::header::HeaderValue: TryFrom<V>,
+        <reqwest::header::HeaderValue as TryFrom<V>>::Error: Into<http::Error>,
+    {
+        Self { inner: self.inner.header(key, value), client: self.client }
+    }
+
+    pub fn query<T: Serialize + ?Sized>(self, query: &T) -> Self {
+        Self { inner: self.inner.query(query), client: self.client }
+    }
+
+    pub fn multipart(self, form: reqwest::blocking::multipart::Form) -> Self {
+        Self { inner: self.inner.multipart(form), client: self.client }
+    }
+
+    pub fn body<T: Into<reqwest::blocking::Body>>(self, body: T) -> Self {
+        Self { inner: self.inner.body(body), client: self.client }
+    }
+
+    pub fn send(self) -> reqwest::Result<reqwest::blocking::Response> {
+        use reqwest::cookie::CookieStore;
+
+        let token = AUTH_TOKEN.read().unwrap().clone();
+        let builder = if !token.is_empty() {
+            self.inner.headers(auth_headers(&token))
+        } else {
+            self.inner
+        };
+
+        let request = builder.build()?;
+
+        debug(&format!("→ {} {}", request.method(), request.url()));
+        debug(&format!("  Request headers: {:?}", request.headers()));
+        match COOKIE_JAR.cookies(request.url()) {
+            Some(cookies) => debug(&format!("  Cookie: {}", cookies.to_str().unwrap_or("<binary>"))),
+            None => debug("  Cookie: (none in jar for this URL)"),
+        }
+
+        let response = self.client.execute(request)?;
+
+        debug(&format!("← {} {}", response.status(), response.url()));
+        debug(&format!("  Response headers: {:?}", response.headers()));
+
+        Ok(response)
+    }
+}
+
+pub fn http_client() -> HttpClient {
+    HttpClient { inner: SHARED_CLIENT.clone() }
 }
 
 fn check_for_warnings(headers: &HeaderMap, status: StatusCode) {
@@ -58,7 +167,6 @@ pub struct UploadZipResult {
 
 pub fn upload_zip(
     file_path: &str,
-    token: &str,
     url: &str,
     project_name: &str,
     repo_info: Option<utils::generic::RepoInfo>,
@@ -84,8 +192,6 @@ pub fn upload_zip(
 
     let response_object = client
         .post(format!("{}{}/start-scan", url, API_BASE))
-        .header("CORGEA-TOKEN", token)
-        .header("CORGEA-SOURCE", get_source())
         .query(&[
             ("scan_type", "blast"),
         ])
@@ -174,8 +280,6 @@ pub fn upload_zip(
 
         let response = match client
         .patch(format!("{}{}/start-scan/{}/", url, API_BASE, transfer_id))
-        .header("CORGEA-TOKEN", token)
-        .header("CORGEA-SOURCE", get_source())
         .header("Upload-Offset", offset.to_string())
         .header("Upload-Length", file_size.to_string())
         .header("Upload-Name", file_name)
@@ -236,12 +340,12 @@ pub fn upload_zip(
     Err("Failed to upload file".into())
 }
 
-pub fn get_all_issues(url: &str, token: &str, project: &str, scan_id: Option<String>) -> Result<Vec<Issue>, Box<dyn std::error::Error>> {
+pub fn get_all_issues(url: &str, project: &str, scan_id: Option<String>) -> Result<Vec<Issue>, Box<dyn std::error::Error>> {
     let mut all_issues = Vec::new();
     let mut current_page: u32 = 1;
 
     loop {
-        let response = match get_scan_issues(url, token, project, Some(current_page as u16), Some(30), scan_id.clone()) {
+        let response = match get_scan_issues(url, project, Some(current_page as u16), Some(30), scan_id.clone()) {
             Ok(response) => response,
             Err(e) => return Err(format!("Failed to get scan issues: {}", e).into())
         };
@@ -267,7 +371,6 @@ pub fn get_all_issues(url: &str, token: &str, project: &str, scan_id: Option<Str
 
 pub fn get_scan_issues(
     url: &str,
-    token: &str,
     project: &str,
     page: Option<u16>,
     page_size: Option<u16>,
@@ -295,14 +398,10 @@ pub fn get_scan_issues(
         url.push_str("&page_size=30");
     }
     let client = http_client();
-    let mut headers = HeaderMap::new();
-    headers.insert("CORGEA-TOKEN", token.parse().unwrap());
-    headers.insert("CORGEA-SOURCE", get_source().parse().unwrap());
 
     debug(&format!("Sending request to URL: {}", url));
-    debug(&format!("Headers: {:?}", headers));
 
-    let response = match client.get(&url).headers(headers).send() {
+    let response = match client.get(&url).send() {
         Ok(res) => {
             check_for_warnings(res.headers(), res.status());
             res
@@ -324,19 +423,13 @@ pub fn get_scan_issues(
     }
 }
 
-pub fn get_scan(url: &str, token: &str, scan_id: &str) -> Result<ScanResponse, Box<dyn std::error::Error>>  {
+pub fn get_scan(url: &str, scan_id: &str) -> Result<ScanResponse, Box<dyn std::error::Error>>  {
     let url = format!("{}{}/scan/{}", url, API_BASE, scan_id);
 
     let client = http_client();
-
-    let mut headers = HeaderMap::new();
-    headers.insert("CORGEA-TOKEN", token.parse().unwrap());
-    headers.insert("CORGEA-SOURCE", get_source().parse().unwrap());
     debug(&format!("Sending request to URL: {}", url));
-    debug(&format!("Headers: {:?}", headers));
     let response = client
         .get(&url)
-        .headers(headers)
         .send()
         .map_err(|e| format!("Failed to send request: {}", e))?;
 
@@ -354,7 +447,7 @@ pub fn get_scan(url: &str, token: &str, scan_id: &str) -> Result<ScanResponse, B
     }
 }
 
-pub fn get_scan_report(url: &str, token: &str, scan_id: &str, format: Option<&str>) -> Result<String, Box<dyn std::error::Error>> {
+pub fn get_scan_report(url: &str, scan_id: &str, format: Option<&str>) -> Result<String, Box<dyn std::error::Error>> {
     let url = if let Some(fmt) = format {
         format!("{}{}/scan/{}/report?format={}", url, API_BASE, scan_id, fmt)
     } else {
@@ -362,16 +455,11 @@ pub fn get_scan_report(url: &str, token: &str, scan_id: &str, format: Option<&st
     };
 
     let client = http_client();
-    let mut headers = HeaderMap::new();
-    headers.insert("CORGEA-TOKEN", token.parse().unwrap());
-    headers.insert("CORGEA-SOURCE", get_source().parse().unwrap());
 
     debug(&format!("Sending request to URL: {}", url));
-    debug(&format!("Headers: {:?}", headers));
 
     let response = client
         .get(&url)
-        .headers(headers)
         .send()
         .map_err(|e| format!("Failed to send request: {}", e))?;
 
@@ -384,7 +472,7 @@ pub fn get_scan_report(url: &str, token: &str, scan_id: &str, format: Option<&st
     }
 }
 
-pub fn get_issue(url: &str, token: &str, issue: &str) -> Result<FullIssueResponse, Box<dyn std::error::Error>> {
+pub fn get_issue(url: &str, issue: &str) -> Result<FullIssueResponse, Box<dyn std::error::Error>> {
     let url = format!(
         "{}{}/issue/{}",
         url,
@@ -392,12 +480,8 @@ pub fn get_issue(url: &str, token: &str, issue: &str) -> Result<FullIssueRespons
         issue,
     );
     let client = http_client();
-    let mut headers = HeaderMap::new();
-    headers.insert("CORGEA-TOKEN", token.parse().unwrap());
-    headers.insert("CORGEA-SOURCE", get_source().parse().unwrap());
     debug(&format!("Sending request to URL: {}", url));
-    debug(&format!("Headers: {:?}", headers));
-    let response = match client.get(&url).headers(headers).send() {
+    let response = match client.get(&url).send() {
         Ok(res) => {
             check_for_warnings(res.headers(), res.status());
             res
@@ -418,7 +502,6 @@ pub fn get_issue(url: &str, token: &str, issue: &str) -> Result<FullIssueRespons
 
 pub fn query_scan_list(
     url: &str,
-    token: &str,
     project: Option<&str>,
     page: Option<u16>,
     page_size: Option<u16>
@@ -437,14 +520,9 @@ pub fn query_scan_list(
 
 
     let client = http_client();
-    let mut headers = HeaderMap::new();
-    headers.insert("CORGEA-TOKEN", token.parse().unwrap());
-    headers.insert("CORGEA-SOURCE", get_source().parse().unwrap());
     debug(&format!("Sending request to URL: {}", url));
-    debug(&format!("Headers: {:?}", headers));
     let response = match client
         .get(url)
-        .headers(headers)
         .query(&query_params)
         .send() {
             Ok(res) => {
@@ -498,18 +576,13 @@ pub fn exchange_code_for_token(
     }
 }
 
-pub fn verify_token(token: &str, corgea_url: &str) -> Result<bool, Box<dyn Error>> {
+pub fn verify_token(corgea_url: &str) -> Result<bool, Box<dyn Error>> {
     let url = format!("{}{}/verify", corgea_url, API_BASE);
     let client = http_client();
-    let mut headers = HeaderMap::new();
-    headers.insert("CORGEA-TOKEN", token.parse().unwrap());
-    headers.insert("CORGEA-SOURCE", get_source().parse().unwrap());
     debug(&format!("Sending request to URL: {}", url));
-    debug(&format!("Headers: {:?}", headers));
 
     let response = client
         .get(&url)
-        .headers(headers)
         .send()?;
 
     check_for_warnings(response.headers(), response.status());
@@ -532,7 +605,6 @@ pub fn verify_token(token: &str, corgea_url: &str) -> Result<bool, Box<dyn Error
 
 pub fn check_blocking_rules(
     url: &str,
-    token: &str,
     sast_scan_id: &str,
     page: Option<u32>
 ) -> Result<BlockingRuleResponse, Box<dyn Error>> {
@@ -541,16 +613,11 @@ pub fn check_blocking_rules(
     let query_params = vec![("page", page.to_string())];
 
     let client = http_client();
-    let mut headers = HeaderMap::new();
-    headers.insert("CORGEA-TOKEN", token.parse().unwrap());
-    headers.insert("CORGEA-SOURCE", get_source().parse().unwrap());
     debug(&format!("Sending request to URL: {}", url));
-    debug(&format!("Headers: {:?}", headers));
     debug(&format!("Query params: {:?}", query_params));
 
     let response = match client
         .get(url)
-        .headers(headers)
         .query(&query_params)
         .send() {
             Ok(res) => {
@@ -583,7 +650,6 @@ pub fn check_blocking_rules(
 
 pub fn get_sca_issues(
     url: &str,
-    token: &str,
     page: Option<u16>,
     page_size: Option<u16>,
     scan_id: Option<String>
@@ -605,12 +671,9 @@ pub fn get_sca_issues(
 
     debug(&format!("Sending request to URL: {}", endpoint));
     debug(&format!("Query params: {:?}", query_params));
-    debug(&format!("Token: {}", token));
 
     let response = client
         .get(&endpoint)
-        .header("CORGEA-TOKEN", token)
-        .header("CORGEA-SOURCE", get_source())
         .query(&query_params)
         .send();
 
@@ -646,7 +709,6 @@ pub fn get_sca_issues(
 
 pub fn get_all_sca_issues(
     url: &str,
-    token: &str,
     _project: &str,
     scan_id: Option<String>
 ) -> Result<Vec<SCAIssue>, Box<dyn std::error::Error>> {
@@ -654,7 +716,7 @@ pub fn get_all_sca_issues(
     let mut current_page: u32 = 1;
 
     loop {
-        let response = match get_sca_issues(url, token, Some(current_page as u16), Some(30), scan_id.clone()) {
+        let response = match get_sca_issues(url, Some(current_page as u16), Some(30), scan_id.clone()) {
             Ok(response) => response,
             Err(e) => return Err(format!("Failed to get SCA issues: {}", e).into())
         };

{corgea_cli-1.8.4 → corgea_cli-1.8.7}/src/wait.rs

@@ -12,7 +12,7 @@ pub fn run(config: &Config, scan_id: Option<String>, project_id: Option<String>)
         }
     };
 
-    let scans_result = utils::api::query_scan_list(&config.get_url(), &config.get_token(), Some(&project_name), Some(1), None);
+    let scans_result = utils::api::query_scan_list(&config.get_url(), Some(&project_name), Some(1), None);
     let scans: Vec<utils::api::ScanResponse> = match scans_result {
         Ok(result) => result.scans.unwrap_or_default(),
         Err(e) => {
@@ -31,7 +31,7 @@ pub fn run(config: &Config, scan_id: Option<String>, project_id: Option<String>)
     };
     let (scan_id, processed) = match scan_id {
         Some(scan_id) => {
-            let processed = match blast::check_scan_status(&scan_id, &config.get_url(), &config.get_token()) {
+            let processed = match blast::check_scan_status(&scan_id, &config.get_url()) {
                 Ok(processed) => processed,
                 Err(_) => {
                     eprintln!(
@@ -73,7 +73,7 @@ pub fn run(config: &Config, scan_id: Option<String>, project_id: Option<String>)
         print!("Scan has been processed successfully!\n");
     }
 
-    match blast::report_scan_status(&config.get_url(), &config.get_token(), &project_name) {
+    match blast::report_scan_status(&config.get_url(), &project_name) {
         Ok(_) => {
             println!(
                 "\n\nYou can view the scan results at the following link:\n{}",